[Opensource] new filter docs, HtmlPlusURLFilter
larry hamel
expresso at codeguild.com
Mon Mar 22 16:22:04 PST 2004
Below is text from the latest, updated EDG regarding string filtering.
Note, at the bottom, a new feature for recognizing and automatically anchoring URLs from user's input text.
Regarding XSS, the URL recognition does additional stripping for hex representations of '<', so I think this is sufficient. Let me know if you see problems with this.
larry
-----------------
Setting Filter Characteristics in DBObject
By default, the filter class is HtmlFilter.java, and the method is set to 'standardFilter'. To set the filter method for a field in your DBObject, use setStringFilter(fieldname, filtername) within your setupFields() of the object, like
protected synchronized void setupFields() throws DBException {
...
setStringFilter("myfield", FilterManager.RAW_FILTER);
...
}
(There is also DBObject.setStringFilterOnAll() if you want to have the same filter on all fields. Call this AFTER
adding all fields in setupFields().)
Note that setStringFilter() sets the filter PERMANENTLY FOR ALL INVOCATIONS for your class because it sets the "metadata" information, which is held statically. If you need some special filtering, on a permanent basis, a different Filter class can be set by getting the metadata and setting DBField.setFilterClass() like
protected synchronized void setupFields() throws DBException {
...
fieldMeta = (DBField) getMetaData().getFieldMetadata("myfield");
fieldMeta.setFilterClass(HtmlPlusURLFilter.class);
...
}
In order to set the string filter for just an instance, you can use DBObject.setFilterClass(Filter); note the contrast:
above was DBField, which is permanent in metadata, and here we are talking about DBObject.setFilterClass(Filter), which only pertains to the instance, the DBObject instance explitly referenced. For example, let's say you have a
field which is edited (after initial storage) as a text area, and you want its contents to show up for editing with regular line feeds, instead of <br> for breaks in the text area. You can do the following in some controller which creates the Input for the text area:
Filter old = existing.setFilterClass(new RawFilter());
summaryStr = existing.getField("MyField");
// restore
existing.setFilterClass(old);
Input title = new Input("myinput");
title.setType(Input.ATTRIBUTE_TEXTAREA);
title.setDefaultValue(summaryStr);
DBObject.setFilterClass(Filter) changes the Filter class on the instance, but not the filter method, which is specified on the metadata statically. Here we have used RawFilter(), which returns the raw text, no matter what filter method is called on the Filter, no matter what field is accessed. Again, the Filter class applies to all fields. There is currently no way to specify a method name in a per-instance way, or to specify a per-field filter per instance, but from the usage above, such fine-grained approaches may not be necessary.
In addition to HtmlFilter and RawFilter, there is XmlFilter, suitable for generating XML (if you are not using XSL for that), and also HtmlPlusURLFilter. HtmlPlusURLFilter subclassess HtmlFilter, adding an ability to recognize user-entered text which begins with 'http://' or 'www.', etc., and automatically create an anchor (<a>) tag from it.
Larry Hamel
----------------------
Free link-test tool (special handling for Expresso sites): http://morebot.org
Custom web site development: http://codeguild.com
More information about the Opensource
mailing list